Many Facebook users were assaulted by the following message earlier today, seemingly shared by their online friends:

[SHOCK] At 17, she did THIS in public high school, EVERY day! Outrageous?[LINK]

Is it normal to let her do that? In PUBLIC and such!

The image of a young woman’s bottom in tight-fitting jeans might or might not (depending on your taste) entice you into clicking further – and if you did succumb you would have found your browser taken to a third-party webpage which pretends it is about to show you a video.

However, the “play” button on the video hides a secret “Like” button, which means that you share the link even further across your social network by clickjacking – helping the scammers spread their link virally.

The purpose of scams such as these are typically to lead you to online surveys (which earn the scammers affiliate commission) or to trick you into handing over personal information such as your cellphone number which will then be subscribed to a premium rate service.

Post navigation

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter: <a href="https://twitter.com/gcluley">@gcluley</a>.

78 comments on “Shocking 17-year-old public high school antics clickjack unwary Facebook users into scam”

I had an "uneasy" feeeling – but – because of the poster, I went there….and tried and tried. Ended up on a Hate God blog. That being said,, I ran the Malware system, and came back clean – but is there something more to do so that my system stays clean ?

Nope, the person above you is correct. When someone falls victim to an attack, such as this, the best thing to do is to accept your 50% of the blame. The reason is: all you can do to prevent this is to change your behavior by recognizing your error so you do not fall victim (again). Making excuses for your own stupidity and blaming it on others is the best way NOT to learn to prevent these sort of things from happening. Basically, if the person takes no responsibility, then they do not have to think about how they could prevent it. The only thing you can really disavow responsibility for are things that you do not do.

Sure, the scammers are responsible for some of it, but no one makes anyone click a link. By preying on feeble minds, scammers have a lucrative business. If people were more aware of the ways people trick you, then scammers might not have such a target rich environment, and would have to go make money by earning it legitimately.

No, the previous poster is correct.
If one does not taking responsibility for his or her own actions (clicking the link), that person will never be able to learn. If it was an accident, then there is no blame, but the person who clicked the link is partially responsible. If a person doesn't recognize where they have a choice and instead blames a third party for their error, then they will continue to make the same mistake.
No one blames a snake for eating a squirrel that gets too close. The snake did his job, and the squirrel failed at their job. Because the squirrel would have benefitted instead of the snake if the squirrel had used caution, then it is obvious the squirrel is to blame for his predicament. Luckily, it dies and does not have to live with the realization that it is an idiot. We are all Idiots, sometimes.

And when one person falls victim it encourages the scammers to keep trying. Had scammers not had such a target rich environment of gullible and shallow people looking for things that would excite them, then the scammers might have to make money legitimately.

Not everyone spends 100 hours a week on the Internet. It’s impossible to keep up to date with every scam. When parents see something that might look like a story about someone doing something not so nice at a “public” school they probably want to know what it is. Especially if they think a friend posted it.

My boyfriend had this posted on his fb page WITHOUT clicking the link or playing the video. He'd never seen it before until I pointed it out from my newsfeed.
How can something spread onto your account without you ever clicking on it?

I knew about the link I got hacked with..My sister gets it all the time and I'm the one calling her. I got it today and I don't click on those links because I KNOW about these things happening. So I know I don't click on links, So, tell me how to keep this from coming back. I'm not telling lies but would like to keep a clean account.

i had that too about 2 years back. i went into the security settings and blocked all applications and it stopped. it even deleted the sketchy video links that got posted on my friends' walls from my account. it was a while ago though i don't know if it'll still work. either way it's nice to have all applications blocked. i sure don't miss all those farmville invitations 🙂
hope you manage to get rid of it. good luck!

Haha! Yeah sorry but he lied to you there. He'll have clicked it and not realised that by clicking it, it posted to his wall. To be fair though, the lie will have been said because he was embarrassed and doesn't want you to feel that he cares for you any less. If you find me a guy with a computer who hasn't clicked on a nice bottom every now and again, I'll give you £10000! So don't be mad at him! Just wise up a bit 😉

One of my friends actually had this scam on his page earlier today, and I helped him remove it (I knew it was bad already, even before this article was up). And he's very good with computer related stuff…

it is easy to say "you should be careful" but in reality it is nearly impossible…

It comes from a friend on FB, its a link to an external video (as are 90% of all video links on FB) and it appears to be legitimate (though the 'bottom" video is less so) and it uses technology we already accept and use ("liking" in FB).

Hopefully browsers will evolve to help with this. I would certainly like my browser to pop up a dialog saying "you are about to like something on FB, do you approve?" or friend someone or add them to your circle in google+, etc.

Exactly. It isn't the users fault – there's no reasonable defense against this in terms of common sense. Browsers will likely soon implement a new anticlickjacking technique having to do with UI randomization

Stop clicking on shit on the left hand side of your browser. Most of the crap my "friends" post is inane and of no interest to me. If I do see something interesting I investigate outside of the poison walls of FB. Like everyone before you said, you can't place all the blame on the criminals. I know I can't leave my front door unlocked. Yes, it sucks that I don't have that freedom, but it's reality and I know it so I lock my door. The same can be said about online behavior. Besides, it's a little creepy that grown men are clicking on something that talks about high school underage girls. Just saying…

Its interesting to see that most of those who "fell for this " never noticed that it appeared to be of a young woman pulling her undershirt down.At least that's what I saw in the picture. Why would something like that be considered "shocking" to do in public ? That is the kind of stuff I did in grade school.

What's even more creepy is that the girl is supposedly underage. I'll bet that's part of the draw too. It would get far less clicks if it said – "Overweight mother of 5 does something shocking every day". There's a reason I'm protective of my daughter.

well mine is translated in greek. I mean a greek page posted it too! the grammar wasn't shitty nor was the spelling. It seemed promising, with a girl's bottom showing. you know.. i had to push the button! I just had to! But fortunately i looked it up on google and it sent me here. Afterwards I watched some porn and now I feel much better.

We're talking about people who can't spot the bleedin' obvious, here. How many times have you seen someone claim 'I thought it might be a scam, but clicked on it anyway.' Sometimes I think these people get what they deserve.

Thanks! Filter by Activity Log, click on Posts and Apps to drop down this menu, click on likes and then look through for this specific one – you can then mark it as spam and delete it!! Thanks for this tip – was getting really cross.

[Video] – Girl killed herself, after her dad psted THIS to …
My Norton AV blocked this attack by: Web Attack: Facebook LikeJacking Attack 1.
13-videonow.noq.com.au (184.172.210.108.80)
FYI I didn't click on it out of curiousity, I clicked on it to view the results so that I could warn my FB friends who have already clicked on it this morning and spread on their friends walls.

While being circumspect is a fine -general- suggestion, nothing specific is given here to look for or to avoid.
Yes, blunt titillation is used, but for the largely unsophisticated bulk of social-media users, that is both common and impossible to ignore. (Read as: "Them's gonna keep a-lookin' no matta whut.")
I realize it isn't your failure that no clear, specific indicator is available, but that tells me this article should have (yet another) call to FaceBook demanding basic simple protections from misleading links, hidden function buttons, paste-over graphics and unqualified posting through your account.
These tricks are entirely FaceBook's responsibility and fault.

This is not as difficult, or imprudent as it sounds. I've lost count of how many times I've warned friends that their posts were scams, spam or somehow malicious. Given how common this kind of junk web content is, taking a minute to verify the legitimacy of what you are "sharing" is a good idea.

Interwebz shenanigans aside, if I come across a "news" story with the words "shocking" and "17 year old" in the title, at the very least, I can count on it being just sensationalist, exploitative dribble.

Talk all you want about this boiling down to "using common sense" but the spammers and scammers unfortunately mirror the overall low level integrity the entire world has allowed itself to sink with little regard for decency and honesty toward others.

I was a sucker and got had too. A few months ago a good friend sent this to me. yep I clicked it. not only did it post on my wall, its sent everyone in my contact list (of over 1000+ peeps) the same add. Not to stop there it went so far as to make groups and automatically add every single one of my friends to these groups. So for the next week I had to remove everyone from each group (around 160-200 people) from each group before I could report and shut the group down. It made around 8 groups or so.

Worst thing is, i couldn't get rid of it and it eventually it killed my PC. I will have to recover my hard drive and reinstall my whole operating system.

Apparently I’ve fallen victim to this likejack.That’s not the problem. The real problem is that if friends of my friends (not me or my friends) look at my wall, they will see my having commented on that video and thus parsing it on. However there is no indication in my activity log, that I have liked or commented this video. So shouldn’t Facebook be responsible for this? After all it is the Facebook system that presents stuff on my wall that neither I nor my friends can see.